Alternative Methods to Mitigate Security Risks Tutorial

1 Compare and Contrast Alternative Methods to Mitigate Security Risks

Protecting data that is stored in devices other than the main database server is an aspect that is often more or less ignored. Ensuring the confidentiality and integrity of data is the end goal of IT security.
On that note, let's begin with objectives in the next screen.
After completing this lesson, you will be able to:
• Describe Data Security and its measures,
• Explain Data Encryption and its features,
• Elaborate Hardware based Encryption Devices, and
• Summarize Data Policies and its common features.

2 Data Security and its Measures

In this topic you will learn about Data Security and its measures.
In an organization, data is the most valuable treasure, and it needs to be secured by all means. This data maybe both professional and personal.
At the same time, there are many providers claiming to offer solutions that cover the three key aspects or issues related to data security: Confidentiality, Integrity, and Availability.
However, you need to be smart enough to choose the solution that is appropriate for your organization.
Cloud computing is a network connection that helps you in storing and accessing your data from a virtual machine instead of your computer’s hard drive.
Hard drives have limited storage capacity. Also, when the system is overloaded with data, there is a high possibility of system crash, resulting in data loss. This is where cloud computing comes as an outstanding alternative.
The important feature of cloud computing is its capacity to store large amounts of data. Once you add your data on a computer hosted in the cloud, you don’t have to worry about its storage and security. Whatever task you do on your computer is directly saved in the cloud with appropriate synchronization. Hence, complexity of saving your data on hard drive is now eliminated. This enables more users to use cloud resources according to their requirement. With the help of such trendy technology, companies are able to store and access their data from any part of the world.
The main reason to implement cloud computing is that it lets you access the services like those of databases and e-mail, without bearing the cost of managing databases and huge rack servers. The service providers manage all this at their end.
In other words, you pay only for the resources and the storage space that you use. You don’t have to pay for any external hardware or software that stores your data.
Cloud computing is a natural extension of virtualization, Internet, and distributed architecture, and it fulfils your need to access data and resources globally. Additionally, it offers you features, such as easy accessibility, reliability, effective and robust protection, and data backup. Also, it is cost effective, and helps you in disaster recovery and security.
However, as every technology comes with some drawbacks, even cloud computing has some issues related to privacy, obeying rules and standards, and security.
A storage-area network, or S-A-N, is a high-performance network that connects internal storage devices with multiple servers. It is different from the primary communication network, and acts as a separate server for the main organizational network.
For example, multiple servers, network storage devices, and switches might be designed to store several terabytes of data.
This small network storage comes with the feature of data storage. Hence, it is connected to the main organizational network. It is used to enhance networked storage devices such as hard drives and tape libraries. This makes them appear as local storage to the servers.
SANs use a committed network to offer unmatched storage separation solutions. This feature provides the required security, and makes it difficult for unauthorized users to access data directly without permission. Moreover, it forces all access attempts to work against applications and interfaces that are restricted by the server.
Now, talking about the security of SANs. Since SAN is network-based computing, so like any other server, it requires security measures like firewall, intrusion detection system, user access control, and others.
SANs are primarily used when you need to store a large amount of data that needs to be accessed by users across the network.
With the growth of organization comes huge data that they store and access on a daily basis. This data is counted in terabytes. The data is so big that it cannot be stored on a single server. Such big data is stored on a SAN.
The difficulties come in when you want to search, store, analyze, transfer, back up, distribute, manage, and present a huge amount of data, and you are still using ineffective and inefficient methods of data analysis.
Large volumes of data have the potential to reveal progressions and uniqueness that ordinary sets of data fail to address. As the volume of data increases, the complexity of data analysis increases as well.
Big data analysis requires high-performance applications running on massively parallel or distributed processing systems.

3 Data Encryption and its Features

In this topic, you will learn about Data Encryption and its features.
The process of translating data into a non-readable form is termed Encryption. It helps you in protecting the confidentiality of the data, and protecting it from unauthorized use.
For example, if you encrypt the data, and an unauthorized individual gets access to the file, then he or she will see only the encrypted data, and cannot interpret the information.
Let’s now discuss the different aspects of data encryption.
Full disk encryption is also termed whole disk encryption. It usually gives a supporting hand to protect an Operating system, its installed applications, and the data stored locally. However, whole-disk encryption only provides limited protection when the system is switched off. If the system is in its active mode, and an attacker gains its access, then there are many methods available to encrypt the hard drive. However, you should always keep in mind that full-disk encryption is only a partial security measure.
If you want to strengthen your defense mechanism, you should use a long, complex passphrase to unlock the system on boot up, and it shouldn’t be written or be used on any other system, for any other purpose.
Whenever the system is not in use, you should shut down the system, and lock it physically to protect against unauthorized access or theft. Always consider hard-drive encryption as a delaying tactic rather than as a true prevention of unauthorized access to data stored on the hard drive.
Applications that you can use to perform full disk encryption are:
• Windows: Bit Locker
• Linux: Fire Vault
The important point to note here is that the device can be decrypted only with the assigned key. If you lose the key, you are putting your data in danger. The best practice to secure your data is to take a backup of the assigned key.
Data encryption is a process of converting electronic information into a no-readable or ciphertext format by using suitable algorithm. This process is carried out with the help of a Database Management System product. It includes intuitive encryption features. This solution is generally preferred for encrypting the whole drive, which is implemented using a separate or independent solution. Native DBMS database encryption assimilates the preferred encryption functions directly into the database software. This feature is now offered by most commercial or enterprise-grade databases, including Oracle and Microsoft SQL Server.
The most important advantage of encrypting a database over a full disk is that data remains secured till an authorized user authenticates access to data the element. On the other hand, when the full drive is encrypted, the key to decrypt the data always remains in memory, because of which any file can be decrypted easily within seconds. So we can say that instead of encrypting whole drive, database encryption provides us with greater security from the attacks of hackers, unauthorized users, and invalid requests.
As the name suggests, it is a type of encryption that takes place file by file. The issue related to this type of encryption is that it is not as secure as full disk encryption.
File-by-file encryption typically generates a random symmetric encryption key. This key is for each file, which is then stored in its encrypted form using the public key. This helps the users use their private key to access the stored symmetric key, and then access the files itself by unlocking them. Every time you use or view the file, it gets saved again, using a new randomly selected symmetric key.
The real pain areas that come with individual file encryption are the potential for data loss and the recovery of the data can be misused.
If the private key of the user is lost, or is corrupted, then it would be difficult, rather it would be impossible to access the stored secure files. If you have appointed a recovery agent, only then it is possible to get your files back. Also, ensure that the agent is trustworthy.
We have always been warned about not using any of the removable media devices as they come with high likelihood of vulnerability and virus attacks. Despite this disadvantage, these drives are more convenient and are highly preferred. This is because of their ability to store and remove data from computer at any given point in time.
However, removable drives can never be a really secure option. It makes the hosted data weak, leading to theft and malicious code attack.

4 Individual Files

Let’s take some examples to understand how removable media can harm. Suppose you are working on some project in an organization. You use removable media to transfer data or sometimes use CD to burn data. In this process when your device stops working or gets corrupted, you tend to throw away that CD. This is where you give opportunity to the hacker to take the data that has been discarded by performing dumpster diving. In this process hacker takes the thrown data and tries to recover it as there are high chances that data can be recovered easily.
There are many devices we use as removable media for data storage. A few of the removable devices are as follows:
Tape Drives: Tape drives are commonly used media for taking backups. They have a larger capacity than any other types of removable media, except for the hard drives. It stores the data in a sequence. Hence, the elements of data are written and read in a sequence than in a semi-random method for a hard drive.
Recordable Compact Discs, or CD-Rs: Recordable Compact Discs or CD-Rs include a variety of visual media such as CDR, CD-RW, DVD-R, DVD-RW, and Blue-ray Disc Recordable or Media BD-R. Writable CDs and DVDs are often not suitable for network backups. This is due to their size, but they’re useful for personal or client-level backups. BD-Rs have a capacity of 25 GB to 50 GB, which can prove useful in some environments, but they aren’t a widely implemented solution. Nevertheless, the data on a CD isn’t protected and is vulnerable to unauthorized access if you don’t maintain physical control over the media.
Hard Drives: Hard Drives are usually considered as computer’s permanent internal storage devices. Even if this is true, hard drives come in removable formats. These include hard drives that are plugged into the case or attached by SCSI, eSATA, USB, or IEEE 1394 FireWire connections with their own external power-supply connections.
Flash Cards or Memory Cards: We are know the flash cards and memory cards that we use in our daily lives. These are the forms of storage that use EEPROM or NVRAM memory chips in a small-form-factor case. These are memory chips in small cube size. Flashcards often use USB connectors or are themselves inserted into devices such as MP3 players and digital cameras. Some flash cards are so small that they can be masked easily.
Smartcards: Smart cards are used for authenticating your identity. It is used by networks, portable computers, PDAs, satellite phones, Public Key Infrastructure (PKI) devices, and many more. This card holds memory to accumulate a password, PIN, certificate, private key, or digital signature. When the card is used for authentication, the system uses the stored data to verify your identity. A smartcard can even function as a credit card like the American Express Blue card.
Diskettes or floppies: Diskettes or floppies are types of removable media. These media have very little storage capacity. However, even if their storing capacity is low, they can be a major security threat to protected data. This threat can occur when these media files get into the wrong hands. Also, there is high possibility that they can leave malware or viruses in your system.
Smart Phone, PDA, Notebook, and Tablet are different types of Mobile Devices. The serious issue with these mobile devices is that only a few devices support data encryption.
There are some mobile phones that support specific file data encryption and not entire storage media. This can be done with the help of different applications.
With changing trends in technology, mobile devices are more likely to be used as PCs, and not just mobile phones. Mobile devices often run on traditional operating systems that do not include encryption, or we can say that, encryption can be enabled by installing third party applications.

5 Elaborate Hardware based Encryption Devices

In this topic you will learn about different hardware encryption devices.
The Trusted Platform Module, or TPM, is a hardware device that provides you with robust public key security, which is used for personal computers, and embedded processors on a single chip.
These keys are used to store information that is protected from other software attacks, and store and process cryptographic keys for encryption systems, which support hardware encryption.
You must always remember that whenever you use TPM-based full disk encryption, you ought to create a password or a physical USB token. This would help you in authenticating and allowing the TPM chip to issue the hard-drive encryption keys into the memory. This process seems similar to software encryption, but the major difference between the two is when the hard drive is removed from its main system, it can never be decrypted.
Encrypted hard drives can be decrypted and accessed only using the original TPM chip. To move the hard drive to a system without any access or authentication, you need to perform hard drive encryption with the help of software
Hardware Security Module, or HSM, enables you to perform the operations related to storing or managing encryption keys, fastening crypto operations, supporting rapid digital signatures, and improving authentication. Examples of an HSM can be an add-on adapter or peripheral or a TCP/IP network device.
HSMs comprises an internal protection mechanism to prevent its abuse even if a hacker or attacker gains physical access.
Moreover, they provide a faster and robust solution for large asymmetric encryption calculations and a well-protected vault for to store keys. It may interest you to know that, different services and stores use HSM for different purpose. For example, HSM is used by certificate authorities to store certificates; ATM and POS banking include HSM with SSL accelerators, and DNSSEC - complaint DNS server uses HSM for storing keys and zone files.
Encrypting USB is often related to USB storage devices, including connected USB hard drives and pen drives. There are a handful of manufacturers who include encryption features in their USB devices. These USB devices come with an auto run tool that enables you to encrypt the content, once your identity is authenticated. An example of such an encrypted USB device is an IronKey.
If your USB device doesn’t provide the encryption feature, you can add the feature using various commercial and open source solutions. One of the open source solutions that provides encryption is TrueCrypt. This is one of the most trusted solutions, and it helps you in encrypting files, folders, partitions, drive sections, or complete drives, whether internal, external, or USB.
Hard-drive encryption can be provided by a software solution or through a hardware solution. Some hard-drive manufacturers offer hard-drive products that involve hardware-based encryption services. However, most of these solutions are proprietary and don’t disclose their methods or algorithms, because some of them have been cracked easily.
Using a trusted software encryption solution can be a cost-effective and a secured choice. But you need to realize that no form of hard-drive encryption, hardware or software based, is a guaranteed protection against all possible forms of attack.
Data cannot be termed a dormant entity on your storage device. In other words, it acquires different states since its origination. This calls for employing the required security features, as it encounters different events and environments. There are three states of data.
The first state is Data in transit. Your data acquires this state, when it communicates over the network, and you need to provide session encryption security to protect the communication process.
Next we have Data at rest. During this state, the data is stored in a location or device, such as a hard drive or cloud space, and to maintain and protect the data, you need to provide file or whole drive encryption.
The third state is Data in use. In this state, the data is being actively used by the application. The physically secured environment helps in securing open and active data. You need a well-established security standard and physical access controls to provide reasonable protection for when the data is in this state.
Whenever you store your data in a secured location as a backup, the most important thing that you would do is grant permission through the Access Control List. This will help in allowing only authorized users accessing the data.
Permissions are the activities for which you either grant or deny access. On the other hand, ACL is a collection of Individual access control entries and permissions.
It is recommended that you assign permission to access data on the basis of user’s role or job responsibility. If a team does not require certain data to perform their task, you should not provide them with the rights to access the said data. Here the principle of least privilege is followed.

6 Summarize Data Policies and its Common Features

In this topic, you will learn about data policies and its common features.
Data policies help in providing privacy, reliability, and accessibility to protect data, and they often overlay with other common security policies that include access, incident response, disaster recovery, backup, and so on.
Now let’s learn about several common elements of a data policy.
Wiping is the process of cleaning or wiping out data from the storage device. This is a key process as it is observed that despite of deleting the data from the device, there are certain portions that stay behind. This can be the reason for data leakage. This process can also be termed as disposal or sanitization of the data.
The procedure in Wiping includes degaussing, overwriting random data, and zeroization.
The data wiping techniques are good enough only in a secured environment, and there is no guarantee that this process can provide you with complete safe use of device in a less secured environment.
Whenever you think that a particular storage device is not in use, then you need to dispose it physically.
The physical measures of disposing a device can be burning, an acid bath, or crushing the device. After this process, the leftover debris needs to be tackled and cleaned by professionals of recycling services. They will appropriately recover the metals that are useful and destroy the ones that can prove to be harmful or are made of toxic materials.
The process of maintaining data till a particular period of time is known as retention policy. This policy asks for the purpose of the held data, the security that is implemented, and the officers involved in authorizing the access of this held data. Different industry rules and contractual obligations may ask for least time frames for a certain type of data.The means, mechanisms, and location for the long-term accommodation of the storage devices is termed storage policy. We have seen that there is no recent technology for storage devices which will prove to be long-lasting, thus you should be ready with the plan that will help you in issuing the best storage facility. This facility should ensure the best environment in reference to heat, light, humidity, and vibration. Also, the security implemented should be trustworthy. The procedure of transferring data from the old storage device to the new storage device should be managed properly. Especially, when the data is retained for longer than the predicted time of the storage device.

8 Summary

Let us summarize the topics covered in this lesson.
• Data security is a matter of protecting the confidentiality, integrity, and availability of data.
• Data encryption is the application of cryptography solutions to protect data on storage devices.
• A hardware-based encryption device is a hardware solution that provides encryption or related services instead of using only a software solution.
• Common elements of data policy include wiping, disposing, retention, and storage.
With this we conclude this lesson, “Compare and contrast alternative methods to mitigate security risks.”
In the next lesson, we will look at “Compare and contrast alternative methods to mitigate security risks in static environments.”